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Disclaimer 



n this talk you won't see all those formula 
and bullets. 



n, code snippets 



From past experiences the spe 
elements are no usefuLj™ 

You instead will sc^mMESn 
convey bett^^HjMaSiflei 



^|j^^9dpi^Ti the aforementioned 

^^SpP^Bund erst and your idea. 

PWtures which the speaker hopes will 
ing of the ideas explained in the talk 



You don't want slides like 

this, do you? 



Motivations 




Questions! 




Fuzzing 




How it used to be 




How it is today 
(aka the reason of this talk) 



Dumb fuzzing 




Smart Fuzzing 




Evolutionary Based Fuzzing 




The idea 



t 



Static analysis 
metrics 



J 



Data tainting 



I n-memory fuzzing 



Code coverage/ 
fault monitor 



We need a filter 




Cyclomatic 



:omplexity 



This one 




Not this one 




Original formula 



M = E-N + 2P 




Number of edges Number of nodes Connected 

components 



Why? Cyclomatic n 



M = E-N + P 



umber 



Simplify 




Formula 
M = E-N + 2 



Problem 




Loop detection 




Dominat 




>l 



4 



tf 

I 




UHEFLt DO YOU 

think you're 
going? 




I NEED TO AGK 
OUR VP OF SALES 
A QUESTION. 




YOU NEED TO TALK 
TO YOUR WHO 
TALfeS TO MIS BOSS, 
UTHO TALK& TO SOMEONE 
UJHO IS FRIENDS WITH 
THE VP OF SALEB, UJHO 
THEN TALKS TO KIK, 




UDULDNT THAT 
VIRTUALLY 

GUARANTEE T HAT 
THE LJ&GNG QUESTION 
GETS ASKED? 




D Scott Adams, inc./Oist. by uFS, Inc. 



n a tors 




UHOAi UHOA! 
LJHOA! 




YOU CANT SPEAK 
DIRECTLY WITH 
A VICE PRESIDENT. 




IT^ BETTER TO HAVE 
THE RIGHT PERSON 
ASK THE URQNG 
QUESTION THAN TUl 
WRONG PERSON A^X 
THE RIGHT QUESTION. 




DO YOU 
HAVE. A 
MINUTE? 



TALK TO ttY 
SECRETARY 





Function 



OOOO. BOO 


Calcul ator: 


; S ub_ 3 8 


00003800 


push 


ebp 


0000380 1 


mov 


ebp, esp 


00 00380 3 


push 


cedi 


000Q3S04 


push 


esi 


00003805 


push 


c b 


00003806 


itor 


enx , €Di-. 


00 00380 8 


sub 


c s p , >: l c 


00 003S0 B 


mov 


eax, da:[off_L6398] 


00003810 


mov 


ss i [ ebp+8 ] , 1 


00003818 


mov 


ss; | ebp+4 ] , eax 


00003S1C 


mov 


eax, ds : [ of f _1 6964 ] 


0000382 1 


mov 


ssi [ esp] , eax 


00003824 


call 


cs ;_ob j c_msgsend 


00003829 


mov 


edi , eax 




mov 


e-ax, sss [ ebp+arg 0] 


0000JS2E 


mov 


c dx , dss[ eai+0 xSC ] 


0000383 1 


mov 


eax, ds : [ of f _1 62F4 ] 


00003836 


mov 


ss ; [ esp] , edx 


00 0038 J 9 


mov 


ssi [ ebp+4 ] , cax 


00 00383 D 


call 


cs ;_ob; c_msgSerid 


00003842 


test 


eax, eax 


00003844 


mov 


esi, eax 


00003846 




ca:loc_3SD6 



000 03EOO 

000 0384C 



Ca 1 cul a tor : 



sub_3 BOO 

csiloc 3S 



□ 0003 BOO 


calculator; 


: sub_3B0 


00003 SDE 


lea 


eax, ds s [ esU-OxFFFFFFFF] 


00003 SE L 


mov 


ss:[ ebp+8], eax 


00003 SE5 


mov 


eax, ds : [ of f _1688 8 ] 


00003 SEA 


mov 


ss t [ ebp + 4 ] , eax 


00003 SEE 


mov 


eax, ds:[off 1699C] 


00003 8F3 


mov 


sai[ccp], eax 


00003 SF6 


call 


cs i_ob j c_irisgsend 


00003 SFB 


mov 


ss t [ esp ] , edi 


00003 SFE 


mov 


ss;[ e bp + 8 ] , eax 


00003 902 


mov 


eax, ds ; [ of f _1647 ] 


00003 907 


mov 


ss i [ ebp+4], eax 


00003 90B 


call 


■cs i ob^ c msgsend 



00003800 

000038D6 
000038D8 



Calculator: ;sub 36 00 



00003800 


calculator; ; sub 


3800 






00003851 




ss ; | 






00003854 




ds : [ 






00003857 




ds : [ 






0000 385C 


ss : [ 


+■ 


] 


ff 


00003S60 


ss : [ 


] , 






00003863 


ss : [ 




] 


r 


00003867 


cs t 








0000386C 




ds : [ 






0000 3872 


ss : [ 


"iff 


] 


r 


00003876 




ds : [ 






0000387C 


ss : [ 


] , 






0000 387F 


ss : ( 


+ 


J 


r 


00003883 


cs ; 








00003888 




ds : [ 






0000388E 


ss ; [ 


+ 


] 


f 


00003896 


ss ; [ 


+ 


1 


§ 


0000389A 


ss : [ 


] , 






0000389D 










000038A2 










UUUU J£SA4 












00003SOO cal cu 1 ator ; ; sub_3 800 

00003910 add esp, OxlC 

00039 13 mov eax, edi 

00003915 pop ebx 

00003916 pop es i 
00039 17 pop edi 

00003918 leave 

00003919 retn 



L 



00003S00 


Calculator: ; sub_ 


000038A6 


t 


000 03SAB 


ss ; | 


3 8 AF 


Bex I 


000038B3 


* 


000038B8 


ss : [ 


000 03SBB 


cs : 


000038C0 


■ EI | 


000038C3 


BE X | 


000 038C7 


■_^^^^^E 


000 038CC 


Ell I 


000038D0 


cs : 





00 

00 038D5 



calculator; ; sub 3800 



Dominator tree 



0OOO3SOO calculator! :sub_3soo 

000038D6 c mp Hbx , es 1 

000038DS cs: 



OOQO3S0O 

00003800 
00003801 
00003803 
00003804 
00003805 
00003806 
COO OJSSOS 
00003S0B 
00003810 
00003818 
00003S1C 
00003821 
00003824 
000 03829 
000 03S2B 
00003S2E 
00003831 
00003836 
00003839 
00003S3D 
00003842 
00003844 
00003846 



calculator: 

push 



► ff_16 398 ] 
, 1 

>f f_16 964 ] 

isgSend 

^bp+ai: tj_0 ] 
!-ax+0xbC ] 
>f f _16 2F4 ] 
e-d.it 

isgSend 



OOOOiSOO 

00 3 8 4C 



cal culator; 

:ir,p 



j s ub_3 3 O 

cs:l oc 3 5 



OOO038O0 Cal cu 1 ater : : s ub_3 S O 

000039 10 add esp, 0x1 C 

000039 13 iriQV eax, edl 

00003915 pop ebx 

000039 16 pop eai 

00039 17 pop edl 

00003918 1 eave 

00003919 retn 



000 03S00 


ca 1 c ul a tor 1 


t sub_3 BOO 


3 8 DE 


lea 


eax, ds:[esi*Ox 


000 03SE1 


mov 


ss:[c bp+ s ] , eax 


000 03SE5 


mov 


eax , ds ; [ a ± £ _ 1 6 


000 03 SEA 


mov 


ss;[ebp+4] , eax 


000 03SEE 


mov 


eax, da: [off_16 


000 03SF3 


mov 


EB![esp] ( eax 


000 3SF6 


call 


cs :_objc_rasgSen 


000 03 SFB 


mov 


ss t [ c sp ] , cdi 


000 03SFE 


mov 


s s : l c bp+ s ] , e ax 


000 03902 


mov 


eax, da: [off_16 


000 03907 


mov 


ss;[cbp+4] , eax 


000 0390B 


call 


cs :_objc_insgSeti 



OOOOiSOO 


Cal cul ator ; 


i s ul> 


3SQQ 






0000385 1 


mov 


eax. 


ss t [ ebp+a 1 


] 


00003854 


mov 


edx. 


ds t [ 


eax+0 xs 


] 


00003857 


mov 


eax. 


ds t [ 




] 


0000385C 


mov 


ss: [ 


ebp+- 


] r ebx 




00003860 


mov 


ss t | 


esp] , 


edx 




00003863 


mov 


ss : 1 


ebp-t-4 


] r eax 




00003867 


c all 


est 








0000386C 


mov 


edx. 


ds t [ 




] 


00003872 


mov 


sa: [ 


ebp+ 


if edx 




00003&7G 


mov 


edx. 


ds t [ 




] 


00 00387C 


mov 


33: [ 


esp] , 


eax 




0000387K 


mov 


88: [ 


ebp-t-4 


] r edx 




00003SS3 


c all 


est 








00003888 


mov 


edx. 


ds 1 [ 




] 


000038SE 


mov 


ss t [ 


ebpt B 


] r 




00003896 


mov 


ss t [ 


ebpt-i 


] r edx 




00 00389A 


mov 


ss t [ 


esp] , 


eax 




00 00389 D 


c all 


est 








000038A2 


test 




al. 






000038A4 


3 = 




est 







00003 800 


Calculator: 


t s u h- 


33 00 










0003 8 Aft 


mov 


e ax , 


ds t [ 








] 


OOOOi 


mov 


s s : [ 


ebp+ 


] 




eb>: 




00003 8A» 


mov 


s s : [ 


ebp-t-4 


] 


■ 


eax 




00003 8B3 


mov 


e ax , 


ds t [ 








] 


00003 is His 


mov 


s s t [ 


esp] , 







ax 




00003 8BB 


call 


c s : 












00003 SCO 


mov 


s s : 1 


esp] , 




6 


d± 




00003 8C3 


mov 


s s : I 


ebpt 


] 


■ 


eax 




0003 8C7 


mov 


eax. 


ds t [ 








] 


00003 see 


mov 


s s t [ 


ebp-t-4 


] 


■ 


eax 




00003 8D0 


call 


c s : 















f 


O000-3BOO 

000 038D5 


calculator: : sub_3BOO 

inc ebx 



Dominators 



aaaassaa 


Cal cul a tor t 


i sub 


0003800 


pu s h 


ebp 


00003801 


mov 


ebp. 


000 03603 


push 


edi 


00003804 


push 


esi 


00003805 


push 


ebx 


00003806 


mr 


ebx, 


OOOOiSOS 


sub 


esp. 


0000380B 


mav 


eax. 


00003810 


mow 


ss t [ 


00003818 


mov 


33: [ 


00003S1C 


rov 


eax , 


000 03821 


mov 


ss: [ 


00003824 


call 


cb : 


00003829 


mov 


edi , 


000 0382B 


mov 


eax. 


00003S2E 


mov 


edx. 


000 03831 


mov 


eax. 


00003836 


mov 


BB S [ 


00003839 


mov 


ss: [ 


00003S3D 


call 


cs: 


00003842 


test 


eax. 


00003844 


mov 


esi , 


00003846 


J n v. 


est 



esp 

ebx 

do : : 

>bp*a 

I bpt i 
ds : [ 
[espj , 



] , 
] , 



a a : [ o bp+ 
ds : [ e ax+' 
ds:[ 



eax 
eax 



00003800 


Cal cul at or t 


: sub_38DO 


00 0038D6 


cmp 


ebx, esi 


000038D8 


11 


cs ; 



0000 3800 

0000 384C 



Cal cul at or s t a ub_3S 

jjnp c s : loc _3 ? 



00003800 


calculator i 


i aub_ 


3800 


000039 10 


add 


esp. 


0x1 


00003913 


mov 


eax , 


edi 


000039 15 


pop 


ebx 




000039 16 


pep 


esi 




0000391? 


pep 


edi 




000039 IS 


leave 






000039 19 


ret wl 







000O38OO 


Cal cul a tor j 


: sub_3 800 


000 038 L- L 


lea 


eax , ds ; [ e s i +0x ffffffff ] 


000038E1 


mov 


ss : [ ebp+s ] , eax 


00003SE5 


mov 


eax, ds : [ of f_16 888 ] 


000 03SEA 


mov 


aai[ebp+4], eax 


000 038EE 


mov 


eax, ds : [ of f_16 99c ] 


00003SE3 


mov 


sst[ esp] , eax 


000038F6 


call 


cs :_ob] c_msgsend 


3 8 FB 


mov 


ss t [ esp] , edi 


3 SFE 


mov 


s s t [ e bp+ is ] , e ax 


00003902 


mov 


eax, da : [ of f_16 470 ] 


00003907 


mov 


a a i [ e bp+ 4 ] , eax 


0000390B 


call 


est objc msgsend 



00003800 


Cal cul ator: 


:sub_3SOO 




0000385 1 


mov 


eax, ss: [cbpt .i 


J 


00003854 


mov 


edx , ds : [ e axt 3 : ] 




00003857 


mov 


eax , ds i [ 


I 


0000385C 


mov 


as:[ebp+ ], ebx 




00003860 


mov 


ss: [ esp] , edx 




00003863 


mov 


ss : [ ebp-t-4 ] , eax 




00003867 


call 


cs: 




00 00386C 


mov 


edx , da : [ 


] 


00003872 


mov 


bb : [ ebp+8 ] , edx 




00003876 


mov 


edx , ds : [ 


] 


0000387C 


mov 


ss:[esp], eax 




0000387F 


mov 


ss : [ ebp-t-4 ] , edx 




00003883 


call 


cs i 




00003888 


mov 


edx, da : [ 


] 


00 00388E 


mov 


sa : [ + ] , 




00003896 


mov 


ss : l + | , edx 




0000389A 


mov 


ss : [ esp ] , eax 




00 00389D 


call 


cs: 




000038A2 


Lest 


al , al 




00003SA4 


1z 


cs : 





000O3 800 


Calc ulat or : 


: s ub 


3800 




00003 8A6 




r 


ds : [ 


] 


00003 SAB 




s s : [ 


+ ] , 




00003 8AF 




s s : [ 


+ ] , 




00003 8B3 






ds : [ 


] 


00003 SBS 




s s : [ 


] , 




00003 8BB 




CS! 






00003 SCO 




s s : [ 


] r 




00003 8C3 




s a : [ 


+ ] , 




00003 8C7 




r 


ds : [ 


] 


00003 8CC 




s s : [ 


+ ] , 




00003 8 DO 




c s : 







1 


f 


OOOO3800 

000 038D5 


cal cul a tort i sub_3 80o 

inc cb>: 





Is that enough 





HE'S 
hSLEEP. 



HE'S 
EMPLOYING 
HEURI5TIC5, 



V 



Not enough 

Of course not, more heuristics needed 



void *safe_strcpy(void *old_dest, void *src, int size){ 

void *dst - realloc(old_dest, size +1); 
strncpy(dst, src, size); 
return dst; 



Add your own 




DEMO 




Questions! 




Data Tainting 




Dytan 



Taint sources 




Markings granularity 




Propagation 




add eax, ebx, edx 



Output 



Registers 
Memory locations 



DEMO 




Questions! 




In-memory fuzzing 



DANGER 
WRONG WAY 

TURN BACK 



Problems 



Expertise and patience 



ii< 



Memory instability 




False positives 




False negatives 




Mutation lo 



| Function 1 









Function 2 



mutate 




Tested function 



Function 3 



Function 4 



Snapshot mutation restoration 



Function 1 




What do we do? 



• Hook image 

• Hook functions 

• Hook instructions 



First approach 




For instance... 



30f064-30f067 



ABCD 



0x8a Y 0x00 
K 



Second approach 




Example 



30f064-30f067 



ABCD 



30f084-30f097 



0x89 K D F 0x96 
0x00 J K U Y W 0xA7 
0xB8 0x00 0x10 A T N 
0x00 0xD3 



How? 



Good sample Evil sample 




Score 



BB 



executed 



/BB 



tota 



Basic Blocks 
executed 



Total Basic 
Blocks 



Halting 



C 



good 



C 



evi 



+ t 



Code coverage 
good sample 



Code coverage User-supplied 



evil sample 



threshold 



What do we use? 





zynamics 

www.zynamics.cam 




i BinNavi 

graph visualization 






Code coverage 



Faults monitor 



DEMO 




Future - A reasoner 




Thanks 




Questions! 




More Info 

viozzo.wordpress.com 

@_snagg 
vincenzo.iozzo@zynamics.com 



